CVE-2018-19148

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 0.11.0

Description The issue allows attackers to enumerate hostnames more easily by sending incorrect requests. When Caddy cannot match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost. Repeated requests with a nonexistent hostname permit full enumeration of all certificates on the server, making it easier to discover the existence of and relationships among hostnames that were not meant to be public.

Recommendations For versions prior to 0.11.0, update to version 0.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the server to minimize the risk of exploitation.